Configuring Impala Delegation for Hue and BI Tools

When users submit Impala queries through a separate application, such as Hue or a business intelligence tool,
typically all requests are treated as coming from the same user. In Impala 1.2 and higher, authentication is
extended by a new feature that allows applications to pass along credentials for the users that connect to
them (known as "delegation"), and issue Impala queries with the privileges for those users. Currently,
the delegation feature is available only for Impala queries submitted through application interfaces such as
Hue and BI tools; for example, Impala cannot issue queries using the privileges of the HDFS user.

The delegation feature is enabled by a startup option for impalad:
--authorized_proxy_user_config. When you specify this option, users whose names you specify
(such as hue) can delegate the execution of a query to another user. The query runs with the
privileges of the delegated user, not the original user such as hue. The name of the
delegated user is passed using the HiveServer2 configuration property impala.doas.user.

You can specify a list of users that the application user can delegate to, or * to allow a
superuser to delegate to any other user. For example:

impalad --authorized_proxy_user_config 'hue=user1,user2;admin=*' ...

Note:
Make sure to use single quotes or escape characters to ensure that any * characters do not
undergo wildcard expansion when specified in command-line arguments.